We are currently deep in the throes of a global data center refresh cycle, driven by technology and business drivers. Virtualization and cloud computing are changing how data centers are being architected. The new threat landscape has framed the challenge of securing data and applications in a new light, and secure mobility and the extended enterprise have amplified the complexity of data center access.

As organizations look at data center consolidation or new data center designs, it’s a great time to be thinking of security, and building it into the network architecture instead of attempting to bolt it on later. This principle of “building security into the network” isn’t new. Security architects have long espoused the benefits of doing so, as adding security after the fact is likely to increase costs and complexity.

Top 5 things to consider in Building Security into the Virtualized Data Center

1. Create a Security PolicyDefine your security policy. A security policy is a necessary evil, it is a blueprint that defines the overall security objectives, rules and regulations for an organization. It include disaster recovery plan, governmental and industry regulations to comply with, and safe application enablement policies. Must have the buy-in of key stakeholders, must be documented and communicated, must be enforced and your policy should consider implications of combining virtualization workloads with different trust levels on the same server, and whether live migration of VMs should be restricted to servers supporting workloads with the same trust levels.2. Define the Applications in the Data CenterBuild a positive enforcement policy. A positive enforcement approach for your virtualized data center means that you identify, control and allow what is required for business operations in your organization. The alternative, negative enforcement approach means you would selectively block everything that is not allowed, requiring a significant amount of never-ending effort to track all new applications and decide if they should be enabled or not. Deploy next-generation firewalls in monitor mode to get visibility into all data center traffic, begin to create this list of “allowed” and IT-sanctioned applications, before safely enabling different application functions at a granular level. A next-generation firewall provides the ability to categorize and analyze unknown traffic in the network to determine whether the traffic is being generated by a legitimate application that is not recognized or is malicious malware.3. Understand Who is Accessing your Data CenterPlan for your security solution to integrate into your user repository so that you can enforce access policies based on users instead of IP addresses, and incorporate user information in reports and dashboards. Consider subscribing to Forrester Research Analyst John Kindervag’s Zero Trust philosophy (“do not trust, always verify”) of least privilege, where access control is strictly enforced, and minimal privileges allowed.4. Prepare for Threats in Your Virtualized Data CenterVirtualization-specific security threats and vulnerabilities have been well documented. Because the virtualized server is made up of many different components-- from hypervisor to guest operating system and application-- each of these components need to be secured to ensure protection for the virtualized environment. But you still need to address other threats that you might see in a traditional data center. For example, an Internet-facing virtualized data center may see denial-of-service attacks or automated script-kiddie attacks, while Enterprise-facing virtualized data centers may see patient, multi-step intrusions leveraging a variety of different threat vectors. By understanding the threats to your specific data center, you can better prepare to handle them.

5. Segment Your Virtualized Data CenterAs you build your virtualized data center network, the fundamental security best practice is to segment. Segmentation in the enterprise data center can ensure that vulnerable parts of the data center are isolated from other parts of the network, or that specific servers that need to comply to regulatory requirements are segmented to manage risks and reduce compliance auditing scope. It can also limit the extent of damage to your data center if a hacker breaches a part of your data center. Segmentation is the best practice even in flat, layer two networks.

Summary – Evolve Securing Your Infrastructure as Your Infrastructure EvolvesThis top 5 list by no means addresses all of your design considerations in building security into your virtualized data center. But, it’s a start. And unfortunately, unlike the Alice in Wonderland story, there is no ending to your security considerations. Just like a security policy is a living document that will continually be reviewed and adjusted based on new business objectives, your security considerations will continue to evolve as the application and threat landscape changes.Cross-posted from: Security Week